Microsoft have released an urgent patch for Windows Server 2008 and later, running Domain Name Service (DNS) typically used with Active Directory Identity Management, to address the CVE-2020-1350 security vulnerability. Code-named SIGRed, it has the highest possible CVSS score of 10, and allows remote code execution. 
Discovered and named by Checkpoint Software Technology researchers, SIGRed is capable of propagating to other servers without action, putting it in the “worm” category of malware. Other examples of this type of malware include the Slapper and Slammer worms that came to light in the early 2000s.
Mitigations for SIGRed
Organizations are advised to install the security patch released by Microsoft as soon as possible. If they can’t update their systems immediately, they can apply a registry workaround manually (see below).
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
DWORD = TcpReceivePacketSize
Value = 0xFF00
The DNS service needs to be restarted after this registry modification for it to take effect.
Organisations need continuous threat intelligence to counter issues such as this one. Looking Glass Cyber’s ScoutPRIME is an excellent tool to provide this service – contact Agilient today to find out more.
Author: David Steele, Agilient Cybersecurity Consultant
